Research Examples on Computer Forensics (2009) Michael M.

Computer Forensics ~ Computer Science 1 INTRODUCTION
H. M. Customs and Excise have broken a smuggling ring dealing in rare and endangered species. One of the felons was utilising a Microsoft Windows based laptop to record details of their illegal trade and is suspected of corresponding with a number of his co-conspirators via the laptop. The primary objective of this research was to detail typical places in a Windows based file system where incrimination evidence may be hidden and a discussion regarding key technologies that may have been used for communication with his partners and the resulting difficulties they may pose to the forensics investigators.

2 CONCEALING DATA ON A WINDOWS-BASED HARD DISK FILE SYSTEM
Microsoft Windows systems are typically found formatted in one of the following two file systems (Mirza, 2008)xxxvii: File Allocation Table (FAT) or New Technology File System (NTFS). The FAT file system architecture is found as a legacy 12-bit version (FAT12), 16-bit version (FAT16) and more commonly a 32-bit version (FAT32). The defining characteristic of these file systems is their maximum volume size, which are 32 MB, 2 GB and 2 TB, respectively. As most modern computer have a Hard Disk Drive (HDD) capacity of at least 1 GB, the FAT12 system is considered outdated and has such been termed a ‘legacy’ technology. The NTFS (also known as the ‘Windows NT File System’), introduced in July of 1993, superseded FAT as the file system of choice due to many of its inherent improvements. The primary hiding mechanisms will be focussed upon hard drive architecture, their basic geometry and these two file systems.

The Host Protected Area (HPA) is a reserved area that is found on some HDDs, where Device Configuration Overlay (DCO) allows computer manufacturers and vendors to store data in the HPA, which is protected from conventional access such as Windows Explorer (Mirza, 2008)xxxvii. With ample knowledge on DCO and HPA, a computer program may be developed to store sensitive data by taking advantage of this “physical” feature. Since the availability of the HPA is limited to certain makes and models of HDDs, it would be useful for any forensic investigator to have access to a comprehensive database on all such brands, makes and model serial numbers which support HPA as well as detailed information on any proprietary modifications to the HPA or DCO methods and manufacturer supplied utilities for accessing the information held in the HPA. During the phase of installing Microsoft Windows, the HDD needs to be partitioned and formatted. A partition sector, also commonly called a Master Boot Record (MBR), is the first sector of a partitioned volume of a HDD. Although the primary purpose of the MBR is to hold the disks partition map (primary partition table), since the MBR only requires a single drive sector and partitions must start on the boundary of a cylinder, the MBR will have sixty two empty sectors which are ideally suited for storing sensitive information within this ‘free space’ (Carrier, 2005)v. Volume Slack (VS) is defined as ‘wasted space’ as it is free space of a HDD that has not been partitioned. It is possible to create a partition, write sensitive information to that partition, and delete that particular partition so that it becomes Volume Slack (Casey, 2004)xxviii. Since this space is no longer partitioned, the Operating System (OS) will not be able to access this area via a mapped drive letter in Windows Explorer. The next stage once the partitions have been created, the drive needs to be formatted with an appropriate file system. Depending on the chosen type of file system, data can only be accessed as block-sized chunks rather than whole sectors. Whilst this improves the efficiency in accessing and storing data (read/write latency etc) within the file system, it may lead to wastage of sectors at the end of the partition if the total number of sectors is not an integer multiple of the block size. Of course, these wasted

sectors are once again an ideal location for writing sensitive data to as it is not typically accessible by the OS and is dubbed ‘partition slack’ (Casey, 2004)xxviii. All partitions, even those that have been configured as non-bootable, contain a boot sector. Therefore, the boot sector of a non-bootable partition is simply wasted space that is ideally suited for storing confidential information. Similarly, unallocated space within a partition is inaccessible by Windows until a particular file’s creation has been allocated to that space. Therefore, this unallocated ‘free’ space could contain sensitive information, however, it is quite a gamble as any modifications made within Windows could lead to over-writing of this space, and thereby potentially losing the data (although it could be retrieved if the drive platters are read by hand). Looking back at the file system, it is also possible to ‘abuse’ the functionality of a particular safety feature in both FAT16/32 and NTFS to hide information within blocks marked as bad blocks. The purpose of marking bad blocks is to prevent data loss, and manipulating such metadata is once again ideal for the purpose of storing sensitive information (Britz, 2008)iii. The detailed storage locations for hiding data above apply to both FAT16/32 and NTFS. However, the NTFS file system allows for some unique locations for storing such sensitive information. Similar to the bad cluster metadata modification previously discussed, a particular metadata belonging to the NTFS file system is its Cluster Allocation Bitmap. The Cluster Allocation Bitmap is quite simply a complete map that marks the allocation status of each and every addressable cluster within the particular partition in question. Similar to the bad cluster method, it would only require for the contents of the Cluster Allocation Bitmap to be modified, although the fact that a malicious modification has taken place would be made obvious if it were inspected. The advantage of using this method, however, is that the hidden information would persist in its hidden state for the lifespan of the file system (Farmer and Venema, 2005)xxxiv. The NTFS file system in particular also provides for a couple more alternatives. One possibility would be to alter the Alternate Date Streams (ADS), which are associated with the Master File Allocation Table (MFT). Modification of reported such files streams would be suited for hiding sensitive data, as they are not within the scope of

Windows Explorer. NTFS has another inherent ‘quirk’ with regards to handling extremely small files and ADS. In the event a particular file is sufficient small enough to occupy the space within the MFT, rather than referencing its location, the entire file itself would be stored within the MFT (Jones, Bejtlich and Rose, 2005)x. This allows for a computer program to create multiple such files to create enough ‘free space’ within the MFT, delete them and proceed creating a potentially large enough file within the MFT to store hidden information of choice. Of course, this hidden information would only persist until further small files start to overwrite this particular location in the MFT, and as such would be best suited for ephemeral data. The above discussion shows that most of the ‘hiding’ places within a typical Windows-based file system are more suited for ephemeral data, whilst the more long term hiding places are easier to detect. However, any information found in the previously discussed locations where data could be concealed, it has being taken for granted that the data would be stored in plain text without first undergoing some form of encryption such as 3DES, Blowfish, or even Advanced Encryption Standard (AES) (Burnett, 2001)iv.

3 COMMUNICATION EFFORTS

TECHNOLOGIES

THAT

THWART

FORENSIC

Accessing the Internet is simpler than ever with free WiFi in many coffee shops and even unsecured networks in many densely populated cities. A couple years ago, accessing e-mail relied on client programs running on the users computer via POP/SMTP sessions – leading to all the emails being stored locally on the computers file system. This is no longer the case. With many free email services available online, there are far more users relying in storing most of their information online as a result of cloud computing (Miller, 2008)xii. In the following discussion of the various means by which an individual could communicate with his or her co-conspirators regarding their illegal activities, an assumption is made where this individual has at least a basic working knowledge of covering their tracks after any of the web browsers installed on their system. This

includes, but is not limited to, clearing all details of browsing history, download history, saved Form and Search history, cache, cookies, offline website data, saved passwords and authenticated SSL sessions. Currently, even Google offer an online system called ‘Google Docs’ which is a free web-based word processor and spreadsheet application enabling easy collaboration. Making matters even more complicated, for example, the free email service by Google (GMail) has an option to always force the browser to connect via a Secure Sockets Layer (SSL) encrypted session. This is also supported by other free email systems such as Hotmail and Yahoo. RC4 is the stream cipher used in SSL, as a 128 or 256-bit cipher that offers remarkable performance although it does have several weaknesses. However, from an evidence-gathering standpoint, these weaknesses would only be of use if exploiting a particular SSL session between known Internet Protocol (IP) addresses (Viega, Messier and Chandra, 2002)xix, and therefore would not leave any traces on the laptop as long as the user has been careful. With the popularity of cloud computing, from a forensics perspective, the browser software installed on a Windows system (Microsoft Internet Explorer, Mozilla Firefox, etc.) would need to undergo close scrutiny for evidence in the form of its cache, history, cookies and most recently downloaded files. Although it may be possible to obtain some information via this method, it is not the only means for communication across the Internet and World Wide Web (WWW). Since it is common knowledge that many intelligence gathering agencies, such as MI6, Interpol, FBI, and the CIA, around the world are screening email traffic for “tell tale” signs of communication of a less than legal nature, a scrupulous individual could take advantage of the free online email systems in the following manner: login to the email system and create a draft email with whatever information that needs passing. Their co-conspirators also access this same email account, accessing the draft, as only these two parties have the respective username and password for the email account. As such, no actually emails are ever sent and all the information is stored in the ‘draft’ folder.

This could also be applied to other online services such a Scribd, which offers an easy means for collaborating documentation as PDF and Word content. It even supports a means for storing ‘private’ files online, and only those given a particular Uniform Resource Locator (URL) may be able to access the private document in question. However, it is quite possible that the Scribd system has text scanning systems in place to ensure such information does not stay active on their system for long, but it will only ‘flag’ information that is posted as being blatantly obvious – it is unlikely any intelligence agencies would be notified by the posting of a recipe for a thin crust pizza. With the exercise of caution and a certain degree of common sense, this system could easily be used for passing sensitive information between parties. Further more, the Scribd URL to private documents could easily be communicated to co-conspirators via the Short Message Service (SMS), which is a standardized communication service in the GSM cellular communication system, and as such would leave no traces that such a document was ever passed to someone else – unless the browser’s logging features suggest otherwise. For the most tech savvy criminals, a secure Virtual Private Network (VPN) that utilises cryptographic tunnelling is another extremely feasible means of communication. VPN is an extremely powerful system and is therefore a standard feature of most corporate networks, allowing their employees to work from home and while on the move (Steinberg et al., 2005)xviii without compromising the security of their network and data. During a VPN session, the connecting user will be effectively logging onto this remote network of computers, thereby gaining complete access to all shared volumes, attached computer peripherals and computer terminals themselves (depending on their firewall configuration and network topology). “Local” video conferencing would be extremely simple to achieve, as well as transferring files and other data whilst connected to the remote network via VPN (Snader, 2005)xvii. It would be the duty of the forensic investigator to check if the IP address of the VPN network (or networks) they have connected to has been recorded in some way, or if any logs of such sessions are recorded locally on the HDD of the laptop.

Although less complicated in setting up and connecting, a Secure Shell (SSH) connection to a remote server allows for an encrypted session for the duration of the link. Once again, the two parties are able to exchange files (via File Transfer Protocol or FTP), utilise instant messaging and a host of other capabilities. However, the SSH system is susceptible to ‘man in the middle’ attacks. Not unlike VPN though, this is another secure means of cryptographic tunnelling via the Internet (Barrett, Silverman and Byrnes, 2005)ii. FTP is a simple system devised on Linux and Unix based system for the transferring of files between a client and a FTP server, and vice versa. A typical FTP session runs completely unsecured in the open, even with the username and password transmitted as plain text and can easily be captured with a packet sniffer listening on port 21 (Kozierok, 2005)xi. To ensure that such a connection is made with a means of encryption, a viable alternative would be the SSH File Transfer Protocol (SFTP) or FTP over SSL (FTPS). Although the FTP/SFTP system was not designed as a means for passing information, one could easily take advantage of it in this fashion. Suppose the co-conspirators have setup a FTP server (or daemon as they are commonly called, and thus FTPd) and they place their ‘secret’ information in the FTPd welcome message that is customised to only appear to a particular user who logs in. Such messages could be setup for each of the various accounts for their co-conspirators, who only simply need to login over SFTP to received the information, and they can easily leave there response by transferring their comments and response as a file to their folder on the FTPd. Paired with SMS messaging, it would be extremely simple for the members of their organisation to handle communications in this fashion. It is, however, possible to find out if SSH sessions have been in use on the laptop. Since SSH is native to Linux and Unix based systems, a typical Windows program to offer similar simulation would be Cygwin, or alternatively to actually run a flavour of Linux (such as Ubuntu or Debian) via a Windows application known as VMWare (Newham, 2005)xiv.

~/.ssh/known_hosts and such a typical file might contain something similar to what is shown below,
128.138.249.8 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0d7Aoure0toNJ+YMYi61QP2ka8m5x5ZQlT7obP8CK 3eropfqsMPPY6uiyIh9vpiFX2r1LHcbx139+vG6HOtVvuS8+IfMDtawm3WQvRuOopz3vV y5GtMwtaOgehsXoT930Ryev1bH5myPtWKlipITsOd2sX9k3tvjrmme4KCGGss=

As seen from the example above, the destination IP address is stored along with the RSA public-key hash. This research would not be complete without discussing freely available Instant Messaging (IM) systems such as Windows Live Messenger (formerly named MSN Messenger), Yahoo Messenger, ICQ and AOL Instant Messenger (AIM). These systems allow users to freely ‘chat’ in purely text mode by running the same client application on each of their PCs. However, their communications are routed through the servers belonging to the companies that developed the client applications and as such encryption is not a main feature of this applications (Wikipedia, 2009)xxi. Alternative software such as BitWise IM is available freely and also supports realtime 128-bit Blowfish encryption, whilst the paid professional version supports 448bit Blowfish encryption. This particular application also generates a new random key for each and every new conversation. In terms of evidence gathering, a regular feature of these programs is their ability to log conversations to the HDD as plain text files that are usually time stamped. Since this is a user-enabled option these log files may or may not exist on the system. Reflecting back upon the discussion regarding GMail, the free web-based email system provided by Google, it also features an IM system called GMail Chat. In the event the connection to GMail is made over the Hypertext Transport Protocol (HTTP), all the contents of these conversations can easily be compromised by anyone looking to do so over the Internet. However, if the web browser connects to the GMail system with SSL enabled, the contents of these conversations will be far more difficult to tap into.

With regards to making voice and video calls over the Internet, Skype offers free voice calling between Personal Computers (PC) utilising the Internet (Abdulezer et al., 2007)i. Their system utilises Advances Encryption Standard (AES), also known as Rjindael (Daemen and Rijmen, 2002)xxii as it is a portmanteau of the names of the two inventors of the Rijndael cipher – Joan Daemen and Vicent Rijmen, with a 256bit encryption key to actively encrypt the data of voice calls, voice and video calls (known as video conferencing), and instant messages (Skype, 2009)xvi. It is clear that making free calls over the Internet, which are encrypted, is an extremely attractive alternative for communicating with co-conspirators. With much exercised prudence and care, even if each call is logged and analysed by the Skype system, it is highly unlikely that it would get flagged unless both parties are extremely incompetent and careless. The Instant Messaging aspect of Skype allows for these conversations to be recorded to the HDD, and is most likely the only evidence it would leave behind apart from the various Skype contacts if the user of the program allowed Skype to remember his password. Of course, Skype also allows those with Skype Credit to make PC to landline calls, where part of the call is carried over the Internet and the rest over fibre optic, Voice over Internet Protocol (VoIP), Cellular (GSM/3G) and Public Switched Telephone Networks (PSTN) (Wallingford, 2005)xx. This of course, poses a couple risks to the parties using this system for communication: (1) the caller has to have Skype Credit in their account, and this needs to be purchased via a Credit Card or PayPal account and (2) the final number being called gets recorded on the passing and target network. As for the former, a stolen Credit Card could be used or a hacked PayPal account, but this would result in their current IP address being noted down. This alone may not help as they could be connecting through many piggybacked proxy servers to mask their real IP or they could even be connecting via an unsecured WiFi connection in a metropolitan area (although, this would place them within a 32 m radius to a maximum radius of 95 m from the location of the wireless base station. This would result in their possible location covering a 3.2 to 28 square-km area, respectively). A similar system is also offered by Google Talk (GTalk), which runs natively as a Windows web-based application and offers Instant Messaging and VoIP

communications between PCs. Unlike Skype, the GTalk system does not impose complete encryption at this point in time. Another popular means of online communication is Internet Relay Chat (IRC), that allows for real-time text based chat by joining a particular IRC server utilising a freely available IRC client (Charalabidis, 1999)vii. One of the most popular IRC clients for Windows is mIRC, and similar to most other communication applications it allows for previous conversations or sessions to be logged to the HDD. Unlike IM conversations, with IRC, the user must join an IRC server of his choice and there are many such servers based on the country they are based in. Upon joining an IRC server, the user can either join pre-existing IRC channels or join and create his own. At this point, any co-conspirators may join the same channel and enter a private conversation. Files can be exchanged via Direct Client-to-Client (DCC) connection or a Secure DCC (SDCC), which can also allow individuals to privately chat over IRC with encryption enabled. It should be noted that both DCC and SDCC, are peer-to-peer (P2P) connections that are independent of the IRC client-server connection, that rely directly upon the Wide Area Network (WAN) IP addresses belonging to the PCs of both users. SSL may be used on the client-server connection, depending on the particular features of that server, to make eavesdropping on a particular users IRC session difficult. Internet Forums or messaging boards are extremely popular web applications that allow for users to collaborate online in a system akin to traditional Bulletin Board Systems (BBS), in the days of dialup Internet well before broadband was introduced. Most forums are dedicated to a central theme – some are dedicated to Computer Technology and Hardware discussions, such as HEXUS.net, and some are even dedicated to specific hobbies, interests and discussions. Most online forums simply require a user to define a ‘nickname’ to be recognised by and to supply a valid email address to register on the system. Once this is setup, they are free to access various features of the forum as well as a Private Messaging (PM)

communicating via forums utilising their PM system as a means for conversation, while only some forums tend to monitor PMs sent and received. Once again, as long as common sense and a degree of caution is exercised, an online forum could be ideally used between co-conspirators although they would be limited by not being able to exchange files by this method. As such, a system such as Scribd could be use in conjunction to overcome this limitation. In the event they decided to communicate by means of digital photos, many free online systems are also available for this purpose, with Flickr and Photobucket being the most popular. Although they present a limitation on the number of photos uploaded, a fair amount of photos can still be stored online with full access to anyone accessing the site with a web browser or mobile device with such capabilities, such as the Apple iPhone. This notion could also be extended to the extremely popular networking and socialising web-applications such as FaceBook and MySpace. These systems allow for users to post online profiles about themselves, host freely photographs and even video clips in their accounts as well as privately communicate utilising across the sites system (Shuen, 2008)xv. In all likelihood these systems monitor all private communications, but as mentioned earlier, they will never cause for panic, unless someone were to blatantly pass across the list of chemicals and instructions required to manufacture military-grade explosives. Used sensibly, it could be ideally used for the co-conspirators to easily communicate with each other privately, and even ensure that no record of these communications are held locally on the HDDs of their computers.

4 CONCLUSION
With regards to concealing information in the laptop’s file system, it is apparent that most of the options result in storing ephemeral data while the more reliable methods are more straightforward. However, even if this data is located, it is far more likely that it would be encrypted in one of the more reliable encryption algorithms.

In terms of communication technology that may pose problems to the team of forensic investigators, many avenues exist for utilising freely available online systems for making contact and passing information across, with very little scope for leaving evidence behind. It is a given though, that a careless criminal could easily leave behind enough evidence that is easily accessible. At the end of the day, if dissecting the file system down to it minimum does not prove to be useful, the only alternative would be to have the hard disk platters manually read allowing possible access to data that was not sufficiently deleted or undergone any secure erasing (known as zeroing).

POSSIBLE DEFENCES FACED IN COMPUTER FORENSICS
ABSTRACT: The aim of this research was to study the possible defences faced by a prosecuting investigator, with regards to Computer Forensics. The focus was on techniques used in concealing data in modern mass storage media, popular file systems, and the consequences of data encryption (to current standards) on successful retrieval of forensic evidence.

5 INTRODUCTION
The aim of this research was to detail some of the possible defences that may be faced by a prosecuting investigator. Since these defences vary directly with the nature of the particular case at hand, this research attempts to address the most relevant domains of Computer Forensics with regards to the concealment of digital data in media and its file system structure. Other hiding methods are out of the scope of this research, which include (but are not limited to) – Swap files, binding executable files together, compressed files, renamed files, BIOS parameter alteration, and steganography.

6 CONCEALMENT OF DIGITAL DATA
The two types of data collected in Computer Forensics are persistent data and volatile data. The former is information that is preserved in the storage media of choice when the power to the computer, or device, is removed and is even applicable to many mobile devices in production today. Volatile data is data stored in memory – cache and Random Access Memory (RAM) of a computer, including mobile devices, and is inherently ephemeral in nature as it is lost within a matter of seconds to a couple minutes at most once the power is removed and supporting capacitive-circuits discharge. In current times, the concealment of digital data is usually attributed to steganography, watermarking, and cryptography (Cole, 2003). The word steganography means concealed writing and as such is concerned with concealing the communication of its contents. Watermarking is more concerned with the addition of sufficient information to establish its source or provenance. cryptographer’s interest lies in obscuring the message’s contents. It can be seen that both steganography and cryptography are both means by which the information of interest is concealed or obscured, and even sometimes embedded in other information such as pictures. Whereas, the object of interest is protected by the obscured or embedded watermark created by digital watermarking, not unlike a Similarly,

combined with cryptography, although as an added measure rather than a requirement. Further more, imperceptible watermarking would be inherently related with steganography, in terms of functionality. The inclusion of Metadata can be considered as a loose application of perceptible watermarking. Since it is perceptible, it inherently does not comply with the philosophy of watermarking, however, as implied by the name it means “data about other data” – and therefore, tends to be descriptive of other data and depending on its context can hold information such as author, date last accessed, and copyright. Metadata was found embedded in a deleted Microsoft Word document on a 3.5” floppy disk, sent by the BTK killer on 16th February 2005 in Wichita, Kansas, USA. The recovered metadata revealed the document had been last modified by “Dennis” and contained “Christ Lutheran Church” (Smith, 2006). A search of the church website detailed a Dennis Lynn Rader as a member of their congregation thereby providing the police with their first suspect in the case and strong circumstantial evidence. He was arrested ten days later and formally charged with the murders on the 28th of February 2005 (Douglas and Dodd, 2008). In considering the process of concealing data digitally, there is also a physical aspect to be considered – such as modern digital storage media, utilised to conceal digital information. Since most modern digital storage are not bit-addressable at the Operating System (OS) level, and addressability is at a far more abstract level, creates the possibility for data to be stored in inaccessible, or sometimes unnoticeable, areas of these digital storage media. Those looking to conceal data that could be potentially incriminating or utilise a computer for illegal activities tend to be aware that methods exist for deleted data to be retrieved. Therefore, they tend to resort to using freely available and commercial ‘disk wiper’ utilities in an attempt to be rid of any loose ends. Berghel and Hoelzer (2006) illustrate in their paper titled “What Does a Disk Wiper Wipe when A Disk Wiper Wipes Disks”, that these utilities are quite ineffective in eliminating all hidden data.

The most widely utilised and trusted implementation of symmetric key cryptography1 is the Advanced Encryption Standard (AES) algorithm, originally published as Rjindael (Daemen and Rijmen, 2002). In June 2003, the National Security Agency (NSA) of the US Government approved AES for its utilisation in protecting classified information (CNSS, 2003). Related-key attacks on AES-256 typically require 2128 different combinations. Biryukov and Khovratovich (2009) have shown two devised related-key attacks with a better complexity (2119 data and time), which essentially reduces the strength of AES-256 to virtually that of a 119-bit AES encryption. Although this is quite a significant attack, it is still far from a viable solution; hypothetically, if each operation took 1 picosecond (1×10−9 s) to complete – 2119 it would require ~ 2.11×1013 millennia or 21,000,000 billion years to complete! The authors believe their attack could be further improved to a complexity of 2110.5. Based on the previous € € 110.5 hypotheses, 2 operations would require a vastly reduced ~ 5.82 ×1010 millennia or 58,000 billion years.
€ Considering Landauer’s Principle that states, “…each bit of lost information will

release an amount of kT ln(2) of heat”, where k is Boltzmann’s constant and T is the Cosmic Microwave Background (CMB) radiation (2.725 K, today). Evaluating

E = 2110.5 kT ln(2) yields 6.9 ×1010 Joules of energy, which is an order of ten less than € € € the energy released in explosions of GBU-43/B Massive Ordnance Air Blast (MOAB) €
bombs or the M-388 Davy Crockett nuclear projectile used during the Cold War. € This is to simply illustrate the electrical power requirements for computers used in successfully cracking AES-256 utilising the related-key attacks devised by Biryukov and Khovratovich (2009). From a theoretical and mathematical standpoint, it seems that AES-128 is more secure than AES-256; however, in practical terms, AES-256 is still considered more secure and made evident by the NSA as they continue to implement AES-192 and AES-256 for information designated as TOP SECRET.
1

Halderman et al. (2008) have shown, on some computer systems, volatile data held in RAM can persist for approximately a minute after sleeping, hibernating or even shutting the system down. They extended this to > 8 minutes by physically accessing the memory modules and cooling them down to –50 ºC. The memory modules could even be removed in this cold state and transferred to another computer to undergo “cold boot attacks”. The paper details their obtaining of a 1 GB memory dump within four minutes. The coupling of cold reboots to mount attacks against popular disk encryption systems (including algorithms of AES-128, AES-192, and AES-256) – BitLocker in Microsoft Windows Vista, Apple’s FileVault disk encryption, open-source implementations such as TrueCrypt (for Windows, Mac OS X, and Linux) and dmcrypt found in Linux kernels since v2.6 – is simply reduced to the task of obtaining the encryption-key from RAM within minutes to unscramble encrypted information. When a forensics investigator is presented with a running system, time is of the essence with regards to gathering as much data from its volatile sources of evidence – running processes, ARP (Address Resolution Protocol) cache, list of open files, virtual and physical memory, and active network connections (Bidgoli, 2006). Considering the implications of the work by Halderman et al. (2008), a further step could be implemented to obtain a qualified forensic duplicate of data held in RAM, onto another data storage medium, via cold boot attacks. This will improve the possibility of circumventing any potential active disk encryption in place on the system (such as BitLocker, FileVault, TrueCrypt, and dm_crypt).

6.2

COMPUTER HARD DISK DRIVES AND FILE SYSTEMS

Modern storage media comes in various forms such as Hard Disk Drives (HDDs) to Compact Flash (CF), Secure Digital (SD), Secure Digital High Capacity (SDHC) cards and USB Flash Drives. During typical use, they would be partitioned and formatted to a popular file system, however, this many not always be the case especially with mass storage media encountered in the field.

Assumptions should not be made regarding recovered desktop PCs, laptop computers, HDDs, external portable HDDs, Flash storage and other mass storage devices. HDDs typically come in various physical sizes – 3.5”, 2.5”, 1.8”, 1.3”, 1”, and 0.85” thickness – with connectivity ranging from IDE (Integrated Drive Electronics) to SCSI (Small Computer System Interface) and Serial-ATA (SATA). HDDs could be utilised as means for storing and communicating incriminating evidence and would not be utilised in a regular manner and as such precautions need to be taken when forensically investigating data held on a HDD. With regards to HDDs, methods for hiding data take advantage of their architecture and geometry. Hiding mechanisms that rely in abusing inherent traits of partitioning schema and file systems not only affects HDDs but also Flash storage. Due to the computer skill required to take advantage of these data caches, it is extremely likely any data recovered would first be subjected to a form of encryption, as detailed in Section (6.1), further thwarting forensic efforts in evidence retrieval. This research considers the two main file systems utilised by computers operating Microsoft Windows as well as those operating Linux, a freely distributed OS that is well suited for manipulating and accessing these hidden and restricted areas in the file systems. The most common file systems in the Windows environment are the File Allocation Table (FAT) and New Technology File System (NTFS). The FAT file system is implemented today as a 16-bit version, FAT16, and a more common 32-bit version, FAT32. FAT16 allows a maximum file system volume of 2 GB, whereas FAT32 can support single partitions up to 2 TB in size (Mirza, 2008). The various flavours of Linux OSes have no problem in accessing and working with the FAT16 and FAT32 file systems, although most installations are formatted by default as Ext3 (or, the legacy Ext2) since it is a journaled file system (Carrier, 2005). A special feature, found only on certain makes of HDDs, the Host Protected Area (HPA) is designated as a reserved area on HDDs designed to store information that cannot easily be subjected to alteration by users, OS, or the BIOS (Basic Input/Output System). The purpose of the HPA is to allow computer manufacturers and vendors to store information and utilities, such as diagnostic tools and HDD utilities, whilst ensuring bit-level modification of data held in the HPA is typically made impossible

to installed operating systems (Gupta, Hoeschele and Rogers, 2006). In addition to this, an additional hidden area on modern HDDs is the Device Configuration Overlay (DCO), which allows vendors to configure HDDs of potentially various sizes to conform to having the same number of sectors (Mirza, 2008), i.e. the DCO would be used to make a 160 GB HDD appear as a 120 GB HDD to both the system BIOS and any installed operating systems. The availability of the HPA and DCO is only available on certain makes and models of HDDs and therefore their implementation is inherently a proprietary process by the respective HDD manufacturer. Forensic investigators therefore need to rely on the claims of HDD manufactures with regards to the capability of their tools, when creating forensic images in the field. These tools may or may not be able to properly detect and image the HPA, however, these vendors remain silent with regards to the imaging of the DCO. Gupta, Hoeschele and Rogers (2006) have recommended future research into the implications of creating or removing the HPA and DCO on the data integrity of a HDD. Since the HPA and DCO are independent of any partitioning schema or file systems, they are impervious to any such modifications made. Other means for hiding digital data look at taking advantage of features of respective file systems. Once again, in consideration of file systems on HDDs, the common methodologies for hiding information are – ‘free space’ within the Master Boot Record (MBR), volume slack, partition slack, boot sector of a non-bootable partition, unallocated space in a partition, bad-blocks, NTFS Cluster Allocation Bitmap, NTFS Alternate Data Streams (ADS), and the Master File Allocation Table (MFT) and extremely small files. Before the installation of an operating system, a HDD needs to be partitioned. Once partitioned, it is then formatted to a suitable file system that is useable by the operating system to be installed. The first sector of a partitioned volume of a HDD, is called the Master Boot Record (MBR). The MBR only requires a single drive sector and since partitions must start on the boundary of a cylinder, this results in the MBR containing sixty-two empty sectors (Casey, 2004) – this free space can be utilised to conceal information and is impervious to re-partitioning of the HDD and reformatting of the exiting partition.

If a partition is created and sensitive information is written to it with the intention of subsequently deleting the partition in question, it turns into what is known as volume slack (Carrier, 2005). This is essentially space on a HDD that has yet to be partitioned, and until this space is partitioned the data written to it will remain in the volume slack – yet remain inaccessible by installed operating systems. In the event the HDD is re-partitioned and the newly created partition and file system extend into this area – it would render the hidden data useless. Once a HDD has been partitioned and formatted with a suitable file system, depending on the chosen file system, data will be read and written as block-sized chunks instead of entire sectors. This tends to lead to a wastage of sectors at the end of partitions in the event the total number of sectors are not an integer multiple of the block-size – this free space is known as partition slack (Casey, 2004), and is once again a possible storage location for sensitive information. Any information stored in the partition slack would remain persistent during a re-formatting of the existing partition. However, in the event the HDD is re-partitioned and the newly created partition and file system extend into this area – this would render the hidden data useless. Partitions that have not been initialised as a non-bootable partition, still contain a boot sector. Therefore, this boot sector can be used to store information and would remain persistent, even if the partition is re-partitioned (which requires a re-format) or reformatted. However, moving the partition or initialising it as a bootable partition, via the Drive Manager in Windows, Disk Utility in Mac OS, or fdisk in Linux (Nelson, Phillips, Enfinger and Steuart, 2007) – would render the hidden data useless. Unallocated space in a partition can be utilised to hide data – although it would be ephemeral at best during normal use of a HDD. Any hidden data in the unallocated partition space would remain persistent if the data held on the HDD was not altered, unless intentionally. Any lapses on the part of the forensic investigator could result in the loss of any data held in this space, unless careful measures are taken (Bidgoli, 2006).

A safety feature present in both FAT16/32 and Windows NTFS is one that marks blocks as ‘bad-blocks’ so as to prevent data loss. The file system metadata that identifies bad-blocks could be altered (Carvey, 2004) so as to mark accessible blocks as bad-blocks. Once marked as bad-blocks, these ‘fake’ bad-blocks will no longer be accessible by Microsoft Windows and as such any data held by them will remain persistent on the disk, until it is re-partitioned (which requires a re-format of the newly created partition) or the existing partition is re-formatted. A special case of metadata belonging to the NTFS file system is its Cluster Allocation Bitmap, which is a complete map of every addressable cluster within a particular partition. Alteration of the Cluster Allocation Bitmap will allow for data to be hidden in a method similar to that of the ‘fake bad-block’ method (Farmer and Venema, 2005). Data hidden by this method would persist for the lifespan of the file system as long as it is not subjected to re-partitioning or re-formatting. NTFS offers a couple more special cases inherent to its design. One such case is where Alternate Data Streams (ADS), that are related to the Master File Allocation Table (MFT). The alteration of reported file streams would allow for sensitive data to be hidden – kept obscured from the purview of Windows Explorer and even command line access via the console. Further to this, NTFS has an inherent quirk with regards to handling rather small files and ADS. If the file was sufficiently small, rather than referencing its location via the MFT, it could be completely stored within it. This would allow for a conceived program to create multiple tiny files, so as to create enough references within the MFT to them – upon deleting all the created dummy files, it would free up the required space within the MFT for concealing a large enough file (Berghel and Brajkovska, 2004). This approach though is ephemeral in nature, as the freed up space utilised within the MFT will soon start to be populated with smaller references during typical use of the HDD.

All the details above apply to almost every file system implemented today including FAT16, FAT32, NTFS and Ext-based Linux file systems. The Linux ExtX file systems offer some unique data hiding places, are these are detailed below. The legacy Ext2 and current Ext3 (henceforth, “ExtX”) file systems are divided into separate sections known as block groups, which are used to store metadata, file names, and content. A superblock at the beginning of the file system contains information regarding the block group size and configuration – and copies of these are located throughout the partition. The block following the superblock, if present, or the first block of every group, if not present, contains what is known as a group descriptor table detailing the layout of each block group (Casey, 2002). ExtX superblocks have 1,024 bytes allocated to them, although the last 788 bytes are unused. Depending on the block size, it is possible for some reserved area to be located behind the superblock as well – this is known as superblock slack and is a digital hiding place for data unique to Linux file systems (Farmer and Venema, 2005). Data stored in the superblock slack is persistent as long as the partition is not moved when re-partitioned, and is immune to re-formatting of the existing partition. Since the ExtX group descriptor is only 32 bytes in size, a reserved area behind it exists, and the block bitmap that follows it starts on a block boundary. Therefore, a minimum of 992 bytes of space exists to conceal data and more available if the blocksize is great than 1,024 bytes (Carrier, 2005). This is known as ExtX group descriptor slack and data stored here is persistent as long as the partition is not moved when repartitioned, and is immune to re-formatting of the existing partition. ExtX directories behave like any other file in these Linux file systems, and therefore, are allocated in blocks such that the resulting space between the last directory entry and the end of the block can be used to hide data (Casey, 2004). During typical drive use this space can be encroached upon rendering data stored in this area useless. A comparative overview of the relative volatility of data concealment areas on HDDs and the various file systems that have been discussed are tabulated on the following page as Table 1.

7 CONCLUSION
In recent times, the most prominent case in the media to utilise Computer Forensics, with regards to locating obscured evidence in a data storage format, was the BTK killings by Dennis Rader – subsequently apprehended in 2005. With general public awareness constantly being raised by many popular forensic TV shows, the average perpetrator would tend to be better informed – especially on deleting data on HDDs, other storage media, and its ease of recovery by forensic investigators. Forensic software such as AccessData’s Forensic Tool Kit (FTK) and Guidance’s EnCase prove to be the more dominant commercial tools in the marketplace whilst one of the most well known open-source alternatives is The Sleuth Kit (TKT). The process of searching for hidden data is termed data carving and while these tools offer better analysis of storage media up to around 250 – 300 MB in capacity, hunting

down hidden caches of information on the larger capacities available today would be an incredible challenge considering that most manufactures are producing 1.5 TB HDDs, whilst Western Digital in particular are touting 2 TB HDDs – that’s 1,500 GB and 2,000 GB respectively; 300 MB represents 0.015% the capacity of a 2 TB HDD! These tools alone simply allow accessing hidden data, but do not provide any means around file encryption, compression, and steganography – although the list does go on. It is evident that possible defences faced by a prosecuting investigator in modern times are insurmountable, leaving the Computer Forensic industry at a serious disadvantage whilst perpetrators continually polish their skills and the sophistication of technologists on both sides of the law increases. The solution lies in leaving behind the doctrine of strict signature based analysis of storage media and looking at the research and development of intelligent heuristic processes driven by neural networks and “fuzzy logic”.